Is Telegram Safe? Depends on how you use it.
Ever wondered, is Telegram safe?
Often compared to its more popular rival WhatsApp, Telegram bills itself as a privacy-focused alternative that champions data rights over corporate profit.
Many privacy and security features like:
- self-destructing messages and
- private chat groups
originated from Telegram.
But how safe is Telegram exactly? Is Telegram really safe, and do its secret chats actually protect your privacy?
Turns out, Telegram is actually pretty safe – with a few caveats.
The Verdict: Telegram is Safe-ish
Despite efforts to market itself as the most privacy-focused instant messaging app, Telegram really isn't too different from competitors like WhatsApp
Most people would readily agree that Telegram is safer than WhatsApp. Telegram says so itself, arguing that unlike WhatsApp:
- they do not do unencrypted third-party backups
- they have no profit motive and therefore have no interest in collecting user data
Telegram is likely no less or more secure than WhatsApp.
It may be plausible, though, to say that hackers have more opportunities to access WhatsApp backups compared to Telegram backups, since WhatsApp backups are stored in two, rather than one, locations.
But it's also true that Telegram isn’t anywhere as secure as Signal. Unlike Telegram, Signal conceals all metadata completely and does not require users to provide a mobile phone number.
Ultimately, there's really only a handful of recognised encryption standards that instant messaging apps can use.
What's truly missing from Telegram however, is transparency.
WhatsApp may has had more than its fair share of controversy, but everyone knows how the app works, how it makes money and who is behind the app.
With Telegram however, you're going to have to take it on good faith that the app honours its commitment to protecting user privacy. The app has made good its word so far, but you'll need to decide if trusting the app based on nothing more than written promises is worth the risk.
Is Telegram Safe? Here’s what critics say.
Critics of how safe Telegram really is often claim that Telegram is unsafe as:
Point 1: Telegram uses its own proprietary protocol
Telegram is built around their own custom MTProto protocol. According to the team, this ensures that Telegram works reliably even on weak mobile connections.
Many experts have, however, cited flaws with Telegram’s encryption protocol.
In 2017, cyber-security researchers at MIT discovered that hackers can actually locate Telegram users to pinpoint accuracy due to the app’s exposure of metadata.
And because Telegram’s custom protocol has not been audited externally, it’s uncertain if Telegram’s encryption actually works as intended.
Still, Telegram users who use the actual version of the app have not encountered any data breaches to date.
Point 2: Not all chats on Telegram are end-to-end encrypted
Unlike other instant messaging apps like WhatsApp and Signal that automatically apply end-to-end encryption for all chats, Telegram only does the same for secret chats.
For standard conversations and chat groups on Telegram, only server-to-client encryption is applied. While this still effectively denies access to any external third party, Telegram can view the message content in these conversations.
Point 3: Telegram does store some of your information for some time
Contrary to popular expectations, Telegram does state clearly in its privacy policy that the app may collect metadata such as IP addresses and device type, and that any collected data is stored for a period of up to 12 months.
One exception is content transmitted via secret chats. Telegram has repeatedly assured users that all information sent and received via secret chats is inaccessible without direct access to the users’ device.
Point 4: Telegram relies heavily on personal phone numbers
Telegram has always used mobile phone numbers as user identifiers, and this feature compromises Telegram account privacy and safety in two ways:
For one, Telegram accounts can be traced back to you if someone knows your phone number.
As online activist movement Reclaim The Net has highlighted, it is possible for governments to identify Telegram users by simply adding thousands of phone numbers to a single mobile device and then syncing it with the app itself.
Additionally, Telegram sends verification codes via SMS to associated mobile phone numbers.
The vulnerabilities of SMS-based authentication have been well-documented. Often, hackers can exploit it as a backdoor to gain access to user accounts.
Even with the app’s full suite of privacy and security features, hackers were still able to access the phone numbers of nearly 15 million Iranian Telegram users by exploiting the app’s SMS authentication feature.
Other issues with Telegram safety
Beyond the points addressed above, some other questions users often have on Telegram privacy and safety include:
- Is the use of third-party bots on the app safe?
- How safe are Telegram secret chats?
Is the use of third-party bots on Telegram safe?
Early last year, cybersecurity research firm Forcepoint Security Labs alleged that Telegram was being used as a command-and-control infrastructure for malware.
The malware would covertly infect the target mobile device when a user installs a third-party bot, and gives hackers remote access to the device upon installation.
Telegram’s official response was that there was no security flaw with the Telegram bot API, and then the incident was simply a mistake made by the external developer.
Still, Telegram cautions users to treat bots as if they are human users. Bots can gain access to sensitive information should you choose to disclose it to them.
How safe are Telegram secret chats?
Definitely safe. Telegram secret chats are end-to-end encrypted. Users can also set a self-destruct timer so that the chat automatically deletes itself after a certain period expires.
Because secret chats are end-to-end encrypted, no one except the sender and receiver can view its contents. If a self-destruct timer has been set, these messages will also no longer be viewable (or recoverable) on any device.
Use Telegram safely with a fake phone number
Telegram’s dependence on mobile phone numbers is a weakness – but thankfully one that’s easy to rectify.
To better protect your Telegram account, we recommend associating your Telegram account with a fake phone number instead of your actual phone number.
Ideally, this fake phone number should be a burner phone number that is untraceable and can be readily disposed.
To get started, you can get burner phone numbers with our very own Phoner app.
By doing so, you can:
- Receive Telegram verification code SMSes on your fake phone number and avoid the risks posed by SMS vulnerabilities
- Prevent anyone from easily tracing your Telegram account since the associated number cannot be traced back to you.
Don’t take Telegram safety for granted
Telegram may champion itself as a user privacy advocate, but you shouldn’t rely on just Telegram to guarantee your privacy and safety on the app.
While the app certainly hasn’t had to deal with as many privacy scandals, it’s best to always err on the side of caution.
Because all it takes to get hold of your personal information is one successful attack.
So, Is Telegram Safe? It’s safer, but only as safe as how you choose to use it. For a safer experience on Telegram, start with using a fake phone number. Chat with friends and family safely on Telegram today!